2021-11-09 –, Room 3
We often use pre-built software binaries and trust that they correspond to the program we want.
But nothing assures that these binaries were really built from the program's sources and a set of reasonable build instructions.
Common, costly supply chain attacks exploit this to distribute malicious software, which is one reason why most software is delivered through centralized, highly secured providers.
Trustix, our reference implementation of a new concept we like to call "build transparency", solves this in an entirely different, decentralized manner.
We can accomplish this by leveraging the transparency properties of purely functional package managers such as Nix and coupling this with transparency logs that can be cross compared across multiple independent trust roots.
This talk will guide you through the general ideas and concepts underlying this idea and the practical challenges in implementing such as system.
Adam is a senior software engineer with Tweag I/O specialising in Nix and related technologies.